Package: perdition
Version: 1.17-7
Severity: normal
Tags: patch
Perdition contains a programming error (or oversight) in the setup
routine for an incoming SSL connection:
[perdition/ssl.h, defintion]
78 SSL_CTX *perdition_ssl_ctx(const char *ca_file, const char *ca_path,
79 const char *cert, const char *privkey,
80 const char *ca_chain_file, const char *ciphers);
81
[perdition/perdition.c]:
407 if(opt.ssl_mode & SSL_LISTEN_MASK) {
408 ssl_ctx = perdition_ssl_ctx(NULL, NULL, opt.ssl_cert_file,
409 opt.ssl_key_file, opt.ssl_ca_chain_file,
410 opt.ssl_listen_ciphers);
As you can see, the parameters for the ca_file and the ca_path are unused
and thus incoming encrypted connections cannot be verified with either
a configured ssl_ca_file or a configured ssl_ca_path (normalls
/etc/ssl/certs).
This is inconsistent with the documentation and also very confusing,
because on outgoing connections, ssl_ca_path is used.
My patch alters the function in the following way:
[perdition/perdition.c after patching]:
407 if(opt.ssl_mode & SSL_LISTEN_MASK) {
408 ssl_ctx = perdition_ssl_ctx(opt.ssl_ca_file, opt.ssl_ca_path,
opt.ssl_cert_file,
409 opt.ssl_key_file, opt.ssl_ca_chain_file,
410 opt.ssl_listen_ciphers);
After this modification, one only needs to set the ssl_ca_path option to
e.g. /etc/ssl/certs and perdition will work as intended
This patch is tested on the mail system of Fachhochschule Gießen (Germany)
and works perfectly. Without this patch, _any_ user with a personal
X.509 certificate inside his MUA (Thunderbird for example) is unable to
connect to our perdition servers, because perdition is unable to find
the needed CA certs, because the SSL context is setup without the
correct path (/etc/ssl/certs/).
Example error message in that case:
Jul 28 18:32:10 mailserv perdition[1762]: Connect:
192.168.192.85->192.168.186.80
Jul 28 18:32:10 mailserv perdition[1762]: depth:1 cert:"/C=DE/O=Fachhochschule
Giessen-Friedberg/CN=Fachhochschule Giessen-Friedberg CA-G01/[EMAIL PROTECTED]"
Jul 28 18:32:10 mailserv perdition[1762]: error: unable to get local issuer
certificate
Jul 28 18:32:10 mailserv perdition[1762]: __perdition_ssl_connection:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 28 18:32:10 mailserv perdition[1762]: __perdition_ssl_connection:
SSL_accept
Jul 28 18:32:10 mailserv perdition[1762]: __perdition_ssl_connection: no shared
ciphers?
Jul 28 18:32:10 mailserv perdition[1762]: perdition_ssl_server_connection:
perdition_ssl_connection
Jul 28 18:32:10 mailserv perdition[1762]: main: perdition_ssl_server_connection
SSL
Jul 28 18:32:10 mailserv perdition[1762]: Fatal error establishing SSL
connection to client
This is because perdition is unable to find the CA certs inside
/etc/ssl/certs, because the option ssl_ca_path is not passed to
perdition_ssl_ctx.
Please apply my patch and also send this upstream, as the original
author might be interested as well.
Grüße,
Sven Hartge
--- perdition-1.17.orig/perdition/perdition.c
+++ perdition-1.17/perdition/perdition.c
@@ -405,7 +405,7 @@
&(opt.mangled_capability), opt.ssl_mode, tls_state);
if(opt.ssl_mode & SSL_LISTEN_MASK) {
- ssl_ctx = perdition_ssl_ctx(NULL, NULL, opt.ssl_cert_file,
+ ssl_ctx = perdition_ssl_ctx(opt.ssl_ca_file, opt.ssl_ca_path,
opt.ssl_cert_file,
opt.ssl_key_file, opt.ssl_ca_chain_file,
opt.ssl_listen_ciphers);
if(!ssl_ctx) {
